Light Dark
January 17, 2017 By Sagi Kedmi 3 min read
Endpoint
Software Vulnerabilities
X-Force

The IBM X-Force Application Security Research Team recently discovered an arbitrary write vulnerability in Nexus 9’s kernel (the Tegra kernel branch). Google’s Android Security Team acknowledged the vulnerability, which allows a privileged attacker to arbitrary write values within kernel space, and assigned it a high severity rating.

Kernel arbitrary write primitives can be used to achieve kernel code execution, which completely compromises the security of the device, not including TrustZone. It increases the TrustZone attack surface and allows attackers to access application data and override the Security-Enhanced Linux (SELinux) policy.

The vulnerability has existed since Nexus 9’s inception back in November 2014. It was reported to the Android Security Team on June 20, 2016, and fixed on Sept. 5, 2016. This flaw was verified on what were then the latest Nexus 9 images:

Vulnerable code in the Nexus 9

The registers debugfs file node is initialized with the following write file operation:

That is, on write system call, cl_register_write() securely copies a user space buffer and parses its contents as two numeric values: val, a value to be written, and offs, an offset from a constant address. Cl_dvfs_writel() is then fed with val and offs (cast into a four-byte aligned address).

Eventually, __raw_writel() is used to write value val at offs+, which results in an arbitrary kernel write.

The vulnerability is reminiscent of an issue previously disclosed by security researcher Marco Grassi.

Attack surface analysis

We analyzed the Discretionary Access Control (DAC) and Mandatory Access Control (MAC; SELinux on Android) to find out which active processes can trigger the vulnerability.

DAC-wise, who can write to the file?

The attacker must execute code under root within the debugfs SELinux context:

SELinux-wise, what contexts can write to a debugfs file?

To find out which SELinux contexts can trigger the vulnerability, we analyzed Nexus 9’s (MOB30M) sepolicy. We need to find SELinux domains with allow rules that have target type debugfs with the open and write permissions on the file class.

Analyzing Nexus 9’s sepolicy (MOB30M) yields:

That is, SELinux-wise, any domain can open, write and append to any file with the debugfs context.

What active processes can trigger the vulnerability? Analyzing active processes on the device yields the following:

Code execution within any of the processes above can trigger and exploit the vulnerability.

Last words

To exploit the vulnerability from an untrusted application security context, start by escalating privileges from an untrusted app to one of the contexts of the aforementioned processes. For instance, CVE-2016-0807, disclosed by Zach Riggle, may be used, since it allows an untrusted app to execute code within debuggerd.

The commit that fixed the vulnerability indicates that Google simply removed the registers file from the debug file system. Clearly, the registers file node was not needed on production builds.

Visit the X-Force exchange to learn more about vulnerabilities

 |  |  |  |  |  | 
Sagi Kedmi
Security Researcher, IBM

More from Endpoint
November 28, 2023

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

October 30, 2023

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

October 19, 2023

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature